Acquisition Security Framework (ASF): Managing Systems Cybersecurity Risk
Abstract
The Acquisition Security Framework (ASF) is a collection of leading practices for building and operating secure and resilient software-reliant systems across the systems lifecycle. It enables programs to evaluate risks and gaps in their processes for acquiring, engineering, and deploying secure software-reliant systems and provides programs more insight and control over their supply chains. The ASF provides a roadmap for building security and resilience into a system rather than "bolting them on" after deployment. The framework is designed to help programs coordinate the management of engineering and supply chain risks across the many components of a system, including hardware, network interfaces, software interfaces, and mission capabilities. ASF practices promote proactive dialogue across all program and supplier teams, helping to integrate communications channels and facilitate information sharing. The framework is consistent with cybersecurity engineering, supply chain management, and risk management guidance from the International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and Department of Homeland Security (DHS). This report presents an overview of the ASF and its development status. It also includes a snapshot of the practices that have been developed so far and outlines a plan for completing the ASF body of work.
Document Details
- Document Type
- Technical Report
- Publication Date
- Nov 11, 2022
- Accession Number
- AD1185142
Entities
People
- Carol C. Woody
- Charles M. Wallen
- Christopher J. Alberts
- Michael Bandor
Organizations
- Carnegie Mellon University